Connect with us

Hi, what are you looking for?



PHP SuperGlobal Variables Increasingly Targeted by Hackers

Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.

Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.

Over the course of May, Imperva identified 3,450 requests that manipulated PHP SuperGlobal variables targeting 24 web applications. These requests were generated by 27 different source IP addresses and appeared in the form of request burst floods with peaks of more than 20 hits per minute on a single application.

The source of one such attack examined by the company was traced to an Italian host server targeting two different applications. The host server did not have a malicious reputation, and in fact belonged to an Italian bank.

The firm also said it observed SuperGlobal variable manipulation occurring as part of large vulnerability scans performed by tools such as Nikto, Nessus and Acunetix. This demonstrates that SuperGlobal manipulation has become common practice integrated into security and hacking tool routines, Imperva observed.

The report also documents an attack on a vulnerable version of the PhpMyAdmin (PMA) utility.

“This utility is often bundled with other applications using the popular MySQL Database,” the report notes. “Having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. One way to achieve such an ‘opt out’ security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.”

“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire Web,” said Amichai Shulman, CTO at Imperva, in a statement. “The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”

According to Imperva, organizations can mitigate these attacks by adopting a “positive security model” that specifies the allowed parameter names for each resource, thereby preventing an attacker from sending out external parameters with the same name of internal variables and overriding the internal variables’ value. In addition, SuperGlobal parameters in requests should be blocked.

Advertisement. Scroll to continue reading.

“Since there is no reason for these parameters to be present in requests, they should be banned,” the firm advised.

A copy of the report, part of Imperva’s Hacker Intelligence Initiative, is available here.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.